COMMITTEE ON GOVERNMENT
HOUSE OF REPRESENTATIVES AMENDMENTS TO H.B. 2416
(Reference to printed bill)
Strike everything after the enacting clause and insert:
"Section 1. Title 18, chapter 1, article 1, Arizona Revised Statutes, is amended by adding section 18-105, to read:
18-105. Cybersecurity threats; state information technology; standards; state employees and contractors; prohibition; exceptions; definitions
A. Not more than thirty days after the effective date of this section, the department shall develop standards, guidelines and practices for state agencies, CONTRACTORS of this state and public INSTITUTIONS of higher education that do all of the following:
1. Require the removal of any covered application from state information technology.
2. Address the use of personal electronic devices by state employees and contractors of this state to conduct state business, including covered application-enabled cell phones with remote access to an employee's state email account.
3. Identify sensitive locations, meetings or personnel within a state agency that could be exposed to covered application-enabled personal devices and develop restrictions on the use of personal cell phones, tablets or laptops in a designated sensitive location.
B. Each state agency, contractor of this state and public institution of higher education shall develop policies to support the implementation of this section and report the policy to the Department.
C. State employees and contractors of this state may not conduct state business on any personal electronic device that has a covered application.
D. Each state agency, CONTRACTOR of this state and public INSTITUTION of higher education shall implement network-based restrictions to prevent the use of prohibited technologies on agency networks by any electronic device. Each state agency, CONTRACTOR of this state and public INSTITUTION of higher education shall strictly enforce this section.
E. Each state employee shall sign a document annually confirming that the state employee understands the standards, guidelines and practices adopted pursuant to this section. A state employee who is found to have violated this section may be subject to disciplinary action, including termination of employment.
F. The Department shall require all state agencies and public institutions of higher education to implement security controls on state information technology that do all of the following:
1. Restrict access to application stores or unauthorized software repositories to prevent the installation of unauthorized applications.
2. Have the ability to remotely disable noncompliant or compromised State Information Technology.
3. Have the ability to remotely uninstall unauthorized software from State Information Technology.
4. As necessary, Deploy secure baseline configuration for State Information Technology.
5. Restrict access to any covered application on all agency technology infrastructures, including local networks, Wide area networks, and Virtual Private Network connections.
6. Restrict any personal electronic device that has a covered application from connecting to agency technology infrastructures or state data.
G. The Department may grant exceptions to this section to enable law enforcement investigations and other appropriate uses of covered applications on state-issued devices if the state agency or public institution of higher education requesting access establishes a separate network with the approval of the head of the agency or public institution of higher education. This authority may not be delegated. The exceptions described in this subsection must be reported to the Arizona department of Homeland Security. Exceptions may include any of the following:
1. accomplishing a specific business need, such as enabling a criminal or civil investigation or sharing information to the public during an emergency.
2. For personal electronic devices, extenuating circumstances granted for a predetermined period of time. To the extent practicable, exception-based usage should be performed only on personal electronic devices that are not used for other state business and on nonstate networks. Cameras and microphones must be disabled on personal electronic devices for exception-based use.
H. A public institution of higher education may include in the policy submitted to the Department an exception to accommodate the use by students of a state email address provided by the public institution of higher education. Any exception shall be restricted to the student's use of a personal electronic device that is privately owned or leased by the student or a member of the student's immediate family and shall include network security considerations to protect the public institution of higher education's network and data from traffic related to covered applications.
I. The department shall develop, annually update and publish a list of applications, services, hardware and software that may be banned if the application, service, hardware or software presents a cybersecurity threat to this state. The department shall notify each state agency and public institution of higher education and the Directors of the Joint Legislative Budget Committee and governor's Office of Strategic Planning and Budgeting of any application, service, hardware or software that is added to or removed from the list.
J. For the purposes of this section:
1. "Confidential or sensitive information" includes information technology configurations, criminal justice information, financial data, personally identifiable data, sensitive personal information or any data protected by federal or state law.
2. "Covered application" means A social networking SERVICE and any current or future successor application or service developed or provided by a private chinese internet technology company founded on March 13, 2012 or any entity owned or operated by a private chinese internet technology company founded on March 13, 2012.
3. "Public institution of higher education" means a university under the jurisdiction of the Arizona board of regents or a community college as defined in section 15-1401.
4. "SENSITIVE location":
(a) Means any location, whether physical or electronic, that is used to discuss confidential or sensitive information.
(b) Includes video conferencing and electronic meetings rooms.
5. "State business" includes the act of accessing any state-owned data, state-owned application, state email account, nonpublic facing communication, Voice over internet protocol, Short message service, videoconferencing and any other state database or application.
6. "State employee":
(a) Includes:
(i) Any full-time or part-time employee of this state.
(ii) A contractor of this state.
(iii) A paid or unpaid intern of this state.
(iv) Any user of a state network.
(b) does not INCLUDE a County, city or town employee.
7. "State information technology" includes all state-issued and owned cell phones, laptops, tablets and desktop computers and any other state-issued and owned electronic devices that are capable of internet connectivity."
Amend title to conform